[opensuse] Running services as non-root user
Hello All, I seem to be a little confused, so I may already know the correct answer , or may be stating it in the question. I know that you should try and not run anything as root. For example, when you install mysql server, it starts with either the mysql user or the nobody user. #1. What is this nobody user? It seems that you cannot log in as nobody. Is this a generic guest like account just for running services? Is this like the mysql user but with a different name? what do you call these types of accounts? #2. Also, it seems to me that binding to a port would be a root level access thing. For example, if a start a program to bind to port 15000 then nothing else can bind to that port. Does it work like level of importance? If root wants to bind to that port does it drop the nobody user from that port? #3. Should you have a different "nobody" like user for each service you want to run? Or is that overkill? As always, thanks very much for any assistance or thoughts. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi, You should each service running under a different user, each of these "service" users having only access to what it really needs: for instance having Tomcat running as a tomcat user , zope running as a zope user, ..... The reason for this is improved security, and it's really not overkilled (how many different daemons will you run on a machine?) You need to start the daemon as root only if it has to bind to a port under 1024. If, for instance, you configure tomcat to listen to port 8080, you don't (shouldn't) have to start it as root. There are a few services (for instance apache) that bind to port < 1024: some of them start as root to bind to the port and, as soon as it's done, they drop their privileges and use a "normal" user (on OpenSUSE, wwwrun for apache) I would not recommend to use the nobody user, unless you have to (samba, NFS, ...): better to use a normal, dedicated user with the least privileges Kind regards, Gaël N�����r��y隊Z)z{.�ﮞ˛���m�)z{.��+�Z+i�b�*'jW(�f�vǦj)h���Ǿ��i�������
On Wednesday 14 March 2007 14:06, Abstract wrote:
Hello All,
I seem to be a little confused, so I may already know the correct answer , or may be stating it in the question.
I know that you should try and not run anything as root. For example, when you install mysql server, it starts with either the mysql user or the nobody user.
#1. What is this nobody user? It seems that you cannot log in as nobody. Is this a generic guest like account just for running services? Is this like the mysql user but with a different name? what do you call these types of accounts?
It's just an account where logins have been disabled, for security reasons
#2. Also, it seems to me that binding to a port would be a root level access thing.
No, only ports 0-1023 are restricted to root.
For example, if a start a program to bind to port 15000 then nothing else can bind to that port. Does it work like level of importance? If root wants to bind to that port does it drop the nobody user from that port?
No, not by default, root would get an error saying that the port is in use (although he can of course kill the process using the port if he wants to)
#3. Should you have a different "nobody" like user for each service you want to run? Or is that overkill?
There already are, for most of the normal services shipping in suse. e.g. wwwrun for apache, sshd for sshd, ntp for the ntp daemon and so on. Have a look in /etc/passwd for the complete list. All the lines that end in /bin/false have logins disabled -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders, thanks for the help, I will look into this immediately.
On 3/14/07, Anders Johansson
On Wednesday 14 March 2007 14:06, Abstract wrote:
Hello All,
I seem to be a little confused, so I may already know the correct answer , or may be stating it in the question.
I know that you should try and not run anything as root. For example, when you install mysql server, it starts with either the mysql user or the nobody user.
#1. What is this nobody user? It seems that you cannot log in as nobody. Is this a generic guest like account just for running services? Is this like the mysql user but with a different name? what do you call these types of accounts?
It's just an account where logins have been disabled, for security reasons
#2. Also, it seems to me that binding to a port would be a root level access thing.
No, only ports 0-1023 are restricted to root.
For example, if a start a program to bind to port 15000 then nothing else can bind to that port. Does it work like level of importance? If root wants to bind to that port does it drop the nobody user from that port?
No, not by default, root would get an error saying that the port is in use (although he can of course kill the process using the port if he wants to)
#3. Should you have a different "nobody" like user for each service you want to run? Or is that overkill?
There already are, for most of the normal services shipping in suse. e.g. wwwrun for apache, sshd for sshd, ntp for the ntp daemon and so on. Have a look in /etc/passwd for the complete list. All the lines that end in /bin/false have logins disabled
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 3/14/07, Abstract
Anders, thanks for the help, I will look into this immediately.
Just to add to what Anders said: using different users for different services is one more protection level, as if such a service get compromised, the atacker will not be able to mess with other services. Lets say, if both apache and mysql run as user nobody, then if someone compromises mysql and can make mysqld to execute arbitrary code - this new attack code will run as nobody as well. Now if apache is running as nobody , the attacker can mess with the apache process. So, in general, if you plan to run your own service, better create a new user for it. Cheers -- Svetoslav Milenov (Sunny) Even the most advanced equipment in the hands of the ignorant is just a pile of scrap. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Abstract
-
Anders Johansson
-
Gaël Lams
-
Sunny